On June 28, 2018, the California Consumer Privacy Act of 2018 (CCPA) was signed into law. The CCPA provides consumers who are residents of California a number of rights and unless the date of implementation is amended by California Senate Bill SB-1121 or other mechanism, the CCPA will become effective January 1, 2020.
While the implementation is slated for next year the current expectation is that recordkeeping, data mapping and subsequent actions be available to consumers related to data collected during the calendar year 2019. NOW!
The CCPA has often been compared to the General Data Protection Regulation GDPR enacted by the European Union on May 25th, 2018. In the same sense that there are some complimentary aspects between GDPR and Gramm-Leach-Bliley Act (GLBA), harmony may also be found between GDPR and CCPA in scenarios that are more complex. Generally, there are very different opinions on who owns and should control a given users’ data – it ranges from the service provider as outlined in the terms of service to the user who should have ultimate control.
The CCPA will provide consumers with these rights:
- Know what personal information is being collected about them
- Know if their personal information is sold, to whom and for what purpose
- The ability to opt OUT of the sale of their personal information to third parties
- The need to opt IN for those under 16, aligning with Children’s Online Privacy Protection Act (COPPA)
- Easier path to legal action following a breach
- Equal service and price regardless if they exercise their privacy rights or not
The CCPA applies to any for-profit legal entity, anywhere in the world, that is ‘doing business’ (collecting personal information as they sell goods or services) to California residents, who meets any one of these three criteria:
- Annual revenue of $25 million or more
- Buy, sell, receive, or otherwise trade “the personal information of 50,000 or more [California residents], households, or devices”
- Derives 50% of their revenue from selling California residents’ personal information
Civil penalties imposed under the CCPA will be limited to $2,500 for each violation or up to $7,500 per each intentional violation. Additionally, violating entities can be subject to an injunction.
Exemptions
Exemptions for organizations regulated under the GLBA and some state regulations, such as the California Financial Information Privacy Act (CFIPA), are available but organizations must take care to ensure that the data collected and processed falls under one of these regulations. If they do not, the data is subject to the CCPA and all that it requires.
The scope of the exemption partially hinges on the difference in how CCPA and GLBA or CFIPA define ‘Consumer’ and ‘Personal Information’. By way of example, “Personal Information” under the CCPA is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”, while GLBA is narrower in scope and necessarily concerned with financial information. Much remains to be determined in the coming year.
Exemptions are also available where other privacy protections were already in place, two such protections are the California Confidentiality of Medical Information Act (CMIA) and at the federal level, the Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH).
Organizations that maintain “patient information” and/or “protected health information” and that meet (generally) the privacy, security, and breach notification rules as defined by CMIA, HIPAA/HITECH may be exempted.
Key dates – past and future:
- August 31st, 2018 – The California legislature adopted technical amendments, which further refined a number of terms and concepts in the CCPA.
- January 2019 – The California legislature will entertain additional language and consider areas of the law that require additional clarification
- July 1st, 2020 – Deadline for the California Attorney General to draft and adopt the law’s implementing regulations.
- July 1st, 2020 or 6 months after implementation (whichever comes first) – Enforcement actions delayed under the CCPA.
Organizations that collect, consume, sell and retain personal information on California residents will be legally obligated to adhere to the CCPA. Consumer data is certainly a strategic business asset but also a significant liability demanding thoughtful handling.
Challenges
In the coming months, there are many challenges for the CCPA as currently written. Many have concerns that the bill was forced through the legislature and is half-baked with too much ambiguity. For example, the threshold for an ‘in-scope’ business is 50,000 users, but it is unclear if those are California residents or is that total for consumers nationwide. There is a cry for a Federal law from various directions such as Intel’s Proposed Bill or Data Care Act Of 2018 (S.37443) that, along with industry input, may derail the CCPA.
Path Forward
There will certainly be additional regulatory regimes in the future with similar scope, territoriality and intent that attempt to address both security and privacy. When considering the processes and technologies that you employ while addressing CCPA, additional consideration should be paid to harmonizing all of your collective regulatory requirements such that common, proven and robust controls can be supported.
GDPR is without doubt ground breaking in its approach and it would appear that the authors of CCPA constructed their privacy legislation, as written, to accomplish the same goals in a more narrow scope. The challenge is if the CCPA and others like it can find the balance between being flexible enough to adjust to rapidly changing privacy landscape while remaining viable versus becoming overly-prescriptive and ultimately brittle over time.
At the end of the day, long overdue privacy legislation is at our doorstep, the CCPA and others like it are rapidly driving interest in federal law and at the very least the CCPA will prove to be its foundation.